The transition of protected health information (PHI) and personal health information, or consumer health information, to the cloud has made healthcare providers an increasingly popular target for cyber attacks. Over 40 million individuals had their medical records appear in data breaches in 2021! Although most people think of hacking as criminals forcing their way through security systems, research from Stanford found that 88% of data breaches happen as a result of human error.
The nature of healthcare data makes it extremely sensitive information. Since most breaches happen because of internal mistakes, one would expect that healthcare worker cybersecurity training is assigned to every employee with access to health data, but that is not the case. Data from Osterman Research found that a whopping 24% of healthcare workers were not offered security awareness training at their workplace!
These low training rates mean that nearly a quarter of healthcare employees may not be aware of what constitutes risky behavior that increases the likelihood of a breach. In today's connected world, all staff members should be aware of data protection and cybersecurity best practices.
The survey covered 1,000 employees from multiple industries and revealed a shocking lack of cybersecurity awareness in the healthcare industry. Many healthcare workers were completely unaware of modern security threats that allow unauthorized access to private data. Only 16% of healthcare workers reported understanding social engineering threats such as phishing “very well”. This is a huge risk for anyone with personal health information stored online. Just one untrained employee at a healthcare organization can ruin security for everyone.
One of the most disturbing implications of these findings is that many healthcare organizations are most likely violating HIPAA. The HIPAA security rule mandates that healthcare professionals who come into contact with protected health information undergo security awareness training. Healthcare organizations that do not mandate training are putting all of their patient information at risk.
The Department of Health and Human Services Office for Civil Rights (OCR) can impose penalties specifically for not training employees. Training is an administrative requirement under the security rule. New employees must be trained within 10 days of hire, so any healthcare organizations that do not immediately offer security awareness training could be subject to OCR penalties in the event a breach occurs.
Another scary revelation from the Osterman survey is that many employees were unaware of their responsibility to comply with various laws that regulate their industry. For example, only 61% of those surveyed were aware their organization had to comply with HIPAA. 20% knew their workplace did not need to comply, but the remaining 21% of respondents were unsure whether their employer had to abide by HIPAA regulations. That 21% of employees are a serious risk since being unsure of HIPAA status means they may not follow private health information disclosure requirements. An effective training program should make it clear to employees what regulations apply to them and the importance of staying compliant.
Outside of healthcare, the survey had many concerning responses to questions across several industries including finance, technology, professional services, government, retail, and education. Less than half of the respondents thought that clicking on a link in an email could infect their devices with malware. About half of respondents thought that they do not need security awareness training since they are not in the IT department. This is an extremely dangerous mindset to have since cybersecurity is everyone’s job.
Although this lack of training is an extremely dangerous issue, it is also simple to solve. Having every employee undergo mandatory security awareness training alongside HIPAA privacy training would greatly reduce digital risk. Mandating will lower the likelihood of a security breach and better protect patient information. It is also unfair to hold employees liable for breaches if they were given knowledge on preventing breaches beforehand.
HIPAA is specific and prescriptive about security training. Section 164.308 (a)(5)(i) states:
Implement a security awareness and training program for all members of its workforce (including management)."
Most companies interpret this to mean that security awareness training must be administered to comply with HIPAA. In addition to putting organizations at risk of a security incident or breach, not doing security awareness training also risks penalties under HIPAA.
For a great solution that meets all of your compliance training needs, check out Haekka! Haekka ships with a large library of content including security awareness training and a HIPAA primer. Haekka’s Slack integration allows you to automatically assign training to any new employees, so the 10 day training period is taken care of. Haekka also allows administrators to periodically re-assign training which enables everyone in an organization to keep up to date with any security changes.
The findings of the Osterman Research show a clear need for increased cybersecurity training in the healthcare industry. The millions of untrained employees in the workforce significantly raise the likelihood of a data breach. OCR issued millions of dollars in fines to many organizations in 2021 for HIPAA violations. Don’t let your company be one of the ones facing penalties. Make sure to train every member of your team before any issues occur. Haekka is a great all-in-one solution, but ensure that whatever training you choose aligns with your organization's needs. Let's make 2022 the year that significantly reduces healthcare breaches.